[<prev] [next>] [day] [month] [year] [list]
Message-ID: <IGEOKMEENEPEICNOFDGJOEACCMAA.list.fulldisclosure@webscreen-technology.com>
From: list.fulldisclosure at webscreen-technology.com (Gareth Blades)
Subject: RE: Attack profiling tool?
> -----Original Message-----
> From: Dimitris Chontzopoulos [mailto:dchontzo@....gr]
> Sent: 11 July 2003 17:37
> To: 'Gareth Blades'
> Subject: RE: [Full-Disclosure] RE: Attack profiling tool?
>
>
> I am not trying to start a technical debate over things here, but, AFAIK
> you shouldn't blame the product (FW-1) if the reseller wasn't able to
> configure it ;-)
Very true but we did install it ourselves and go through all the options and
configure everything which would help the defence. This was a few months ago
and I believe there has been a new version since then. I wasn't involved
with the testing myself so I cannot say what the exact configuration was.
> <Yes we are limiting the number of connections but we are doing it
> selectivly by not allowing the attacker to make new connections but
> allowing everyone else to...>
>
> You can also do that with FW-1, not to mention "Smart Defense" and
> "Application Inteligence" that give the product a great push so as to
> not be thought as a common "Stateful Packet Inspection Technology
> Firewall" ;-) But this is another issue, clearly not belonging in this
> list ;-)
What version where these options available in?
Are they additional license or software options?
It would be interesting to see how well they work.
> <The particular machine is a demo server so anyone may connect...>
>
> Maybe it is but when I tried to connect I was prompted for a
> username/password... This is where my "lucky guessing" regarding "Brute
> Force" was made.
There is form on our website where people request access to the box and are
emailed the password straight away. You wern't to know this though.
> <They are TCP connections and as the client is completing the handshake
> they cannot be spoofing the source address. If the source address was
> spoofed then they would not get the SYN-ACK packet which they reply to,
> to complete the connection...>
>
> Who said anything about a three-way TCP handshake session? I am merely
> saying that the attacker CAN spoof other IP Addresses by sending SYN
> packets without expecting a SYN/ACK. Isn't that possible? I think so.
Sorry I assumed you had looked at the packet capture URL I originally posted
which shows the TCP handshake session being established.
> <I don't think they are trying to brute force the console as once the
> TCP connection is established there is no furthur data transfer until
> they close the connections.>
>
> This is why I mentioned "PortFuck". Download it from astalavista.box.sk
> and give it a try (you should disable your AV though because it is
> recognized as a "BAD tool"). Then all you have to do is tell "PortFuck"
> to connect to the IP Address attacked, open lots-lots-lots of
> connections to port 443 and you can have your favorite "Sniffer" or
> Webgear capturing. Then all you have to do is examine the data pattern
> from "PortFuck" against the data pattern you allready have.
Thanks I will have a look at that when I get in Monday.
> Cheers,
>
> Dimitris.
>
> P.S. Don't take it personaly, I am just trying to justify what I say.
No offense taken
Regards
Gareth
Powered by blists - more mailing lists